今天把IPSec中的DPD研究了一下

shichunda

完善一下。
cry is keep 10 period时的debug cry is。摘了两条，看一下时间间隔。
附件是从 cisco command lookup中查到的debug cry isakmp信息和DPD配置文档。


r1#
r1#
r1#
*Mar  1 00:10:33.011: ISAKMP: set new node -1248246890 to QM_IDLE      
*Mar  1 00:10:33.019: ISAKMP0:1:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1
        spi 1691600296, message ID = -1248246890
*Mar  1 00:10:33.019: ISAKMP0:1:SW:1): seq. no 0x1031DE7F
*Mar  1 00:10:33.027: ISAKMP0:1:SW:1): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) QM_IDLE      
*Mar  1 00:10:33.031: ISAKMP0:1:SW:1):purging node -1248246890
*Mar  1 00:10:33.035: ISAKMP0:1:SW:1):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
*Mar  1 00:10:33.035: ISAKMP0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 00:10:33.371: ISAKMP (0:134217729): received packet from 192.168.1.1 dport 500 sport 500 Global (I) QM_IDLE      
*Mar  1 00:10:33.375: ISAKMP: set new node 285987985 to QM_IDLE      
*Mar  1 00:10:33.387: ISAKMP0:1:SW:1): processing HASH payload. message ID = 285987985
*Mar  1 00:10:33.391: ISAKMP0:1:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1
r1#
        spi 0, message ID = 285987985, sa = 6432D894
*Mar  1 00:10:33.395: ISAKMP0:1:SW:1):deleting node 285987985 error FALSE reason "Informational (in) state 1"
*Mar  1 00:10:33.395: ISAKMP0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 00:10:33.399: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 00:10:33.411: ISAKMP:(0:1:SW:1)PD/R_U_THERE received from peer 192.168.1.1, sequence 0x6125088C
*Mar  1 00:10:33.415: ISAKMP: set new node 1388886151 to QM_IDLE      
*Mar  1 00:10:33.423: ISAKMP:(0:1:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 1691600312, message ID = 1388886151
*Mar  1 00:10:33.423: ISAKMP:(0:1:SW:1): seq. no 0x6125088C
*Mar  1 00:10:33.431: ISAKMP:(0:1:SW:1): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) QM_IDLE      
*Mar  1 00:10:33.431: ISAKMP:(0:1:SW:1):purging node 1388886151
*Mar  1 00:10:33.435: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Mar  1 00:10:
r1#33.439: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 00:10:33.443: ISAKMP (0:134217729): received packet from 192.168.1.1 dport 500 sport 500 Global (I) QM_IDLE      
*Mar  1 00:10:33.447: ISAKMP: set new node -131460138 to QM_IDLE      
*Mar  1 00:10:33.455: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -131460138
*Mar  1 00:10:33.459: ISAKMP:(0:1:SW:1): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 0, message ID = -131460138, sa = 6432D894
*Mar  1 00:10:33.463: ISAKMP:(0:1:SW:1): DPD/R_U_THERE_ACK received from peer 192.168.1.1, sequence 0x1031DE7F---@@@@@@@@@@@@@@@@@@@
*Mar  1 00:10:33.467: ISAKMP:(0:1:SW:1):deleting node -131460138 error FALSE reason "Informational (in) state 1"
*Mar  1 00:10:33.471: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 00:10:33.471: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

r1#
r1#
r1#
r1#
r1#
r1#
r1#
r1#
r1#
r1#
*Mar  1 00:10:42.991: ISAKMP: set new node 1684628138 to QM_IDLE      
*Mar  1 00:10:42.999: ISAKMP:(0:1:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1
        spi 1691600296, message ID = 1684628138
*Mar  1 00:10:42.999: ISAKMP:(0:1:SW:1): seq. no 0x1031DE80
*Mar  1 00:10:43.007: ISAKMP:(0:1:SW:1): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) QM_IDLE      
*Mar  1 00:10:43.011: ISAKMP:(0:1:SW:1):purging node 1684628138
*Mar  1 00:10:43.011: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
*Mar  1 00:10:43.015: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 00:10:43.419: ISAKMP (0:134217729): received packet from 192.168.1.1 dport 500 sport 500 Global (I) QM_IDLE      
*Mar  1 00:10:43.423: ISAKMP: set new node 2030419302 to QM_IDLE      
*Mar  1 00:10:43.431: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 2030419302
*Mar  1 00:10:43.435: ISAKMP:(0:1:SW:1): processing NOTIFY DPD/R_U_THERE_ACK protoco
r1#l 1
        spi 0, message ID = 2030419302, sa = 6432D894
*Mar  1 00:10:43.439: ISAKMP:(0:1:SW:1): DPD/R_U_THERE_ACK received from peer 192.168.1.1, sequence 0x1031DE80---@@@@@@@@@@@@@@@@@@@@@@@
*Mar  1 00:10:43.443: ISAKMP:(0:1:SW:1):deleting node 2030419302 error FALSE reason "Informational (in) state 1"
*Mar  1 00:10:43.447: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 00:10:43.447: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 00:10:44.211: ISAKMP:(0:1:SW:1):purging node 450092584
r1#
r1#
r1#
r1#
r1#un all
All possible debugging has been turned off

testvpn

啊，原来cisco中还有on demand这个功能啊，我接触的产品中都是用的固定时间间隔的。。。

shichunda

估计是你用的ios太老了
我用的ios中on-demand是default的。

醉卧水云间

这种功能不值一提, 几条语句而已.

shichunda

原帖由 醉卧水云间 于 2009-12-19 23:47 发表
这种功能不值一提, 几条语句而已.

呵呵，什么配置不是几条语句啊。做这个测试只是因为和我以前想的不一样而已。
一般的网络用不用无所谓，但在链路不是很稳定的网络，我觉得还是敲上好一点。

ssffzz1

原帖由 醉卧水云间 于 2009-12-19 23:47 发表
这种功能不值一提, 几条语句而已.

poweroff 只有一条，你敢没事就执行吗？？？？

语句多少和功能不成正比。

leeshameless

按照文档上的说明，符合了以上两个条件了，所以就应该发送DPD包来证明链路是好的并传输数据，但结果出乎意料，没发。--------------Cisco的IKE协商是需要流量触发，从没有协商过IKE，所以他当然没有建立SA，当然也不需要做DPD检测（因为得先有SA啊，不然检测什么）

月是夜的明

楼主，这个DPD是在IPSEC中起到什么作用啊

月是夜的明

楼主，这个DPD是在IPSEC中起到什么作用啊

Riet

月是夜的明 发表于 2015-10-23 18:54
楼主，这个DPD是在IPSEC中起到什么作用啊

检测IPsec中如果链路有问题 就把SA删掉，不然要傻呼呼的等个默认1天。